Sending your Wii to Nintendo for an official repair? An Important Article By Hackmii.

A faithful HackMii reader spent some time with AnyTitle Deleter and tried to clean everything odd off his Wii, and used the HackMii Installer to uninstall the HBC and BootMii/boot2. He then sent his Wii into Nintendo (of America) to try to get them to repair a noisy drive; the warranty had expired, and he just wanted to pay them to repair the drive.

After they received the Wii, they wrote him back and said that because he had unauthorized software installed (something they could not fix themselves — but more on this later), it would cost $200 for them to do any repair. He had them just send him back the Wii, and then reinstalled BootMii/boot2 and dumped the NAND and sent it to us to figure out what he had missed and anything else we could gain from the image.

I have a few theories as to what they detected, based on what things he did not manage to delete — and for a while, that’s all we had to go on, and it wasn’t going to make for a very interesting article. However, several hours with 0xED and grep and xxd paid off, and I found some traces of the disc they ran to detect “Illegal software”. Unfortunately, I was only able to find part of the data section of the main DOL of the disc, and not the code, so I don’t have actual screenshots to share — you’ll have to use your imagination this time. (If anyone has sent a Wii in to Nintendo for repair in the past few months, and received the same Wii back — no refurbs! — I’d love to see a NAND dump, especially if you took one right after you received it back. I may be able to reconstruct the rest of the disc.)

Here is the raw output of ’strings’ on the relevant part of the data section:

We have to do some reading between the lines here, but what we have is a disc with a fairly simple text-based UI (much like the “Wii Backup Disc” we looked at a couple of years ago) — but at least this time they’ve added colors (the BL, YE, RD tags presumably change the color of text displayed on the screen). There are a few different menus / screens you can traverse through, but the long and short of it is that they are looking for:

Save data — they are looking to delete data from “SetPersonalData.wad” (?!) and from “DigicamPrintChannel” (which you might have if you had messed around with the regions on your Wii. They then run a check for “unauthorized rewittern data”, which seems to reuse the same old CheckSavedataZD function from the System Menu, after authenticating as RZDE/J/P.

“Illegal Channel(s)/Firmware” — as far as I can tell, this isn’t some specific check for HBC / DVDX / whatever. This is a bit more clever — they seem to be enumerating all tickets and all TMDs on the system, and looking to see if any of them are fakesigned. This will catch pretty much anything that is, as they say, “unauthorized” that you have installed.

“Use of Copy Disc” — I think this actually refers to their own Wii Backup Disc. It’s not entirely clear to me why they care about this. This check seems to be done by looking for the existence of /shared2/succession/shop.log. (In this context, “succession” seems to refer to the transfer of some identity info from one (presumably broken) Wii to another.)

Once they’ve done this scan, they can then do several things — most common is probably to generate a log file on an SD card. They can also launch any of the “Illegal Channels” they find, and output any of the TMD info to SD. They even have the option of deleting all of this stuff — but it seems that they’ve been told not to do this (remember, they claimed they can’t, and in fact, they didn’t before our friend got his Wii back).

In this case, what did they detect, and how? It continues to surprise me that Nintendo seems to not use any sort of special “hacked IOS” to make their lives easier — sure, the “Wii Backup Disc” came with its own (infamous) IOS16, but there wasn’t really anything special about it and we were never quite clear why they bothered. The disc runs as 1-2 and judging by its error messages, as group 0 — this means they can read and write most files in the filesystem directly, but they seem to use ES calls to do most of the work.

As for what they found — this Wii was bought second-hand, and it looks like there was a lot of “crap” on it at one point. Purely by looking for fakesigned tickets and TMDs, I found one each for 1-250 (IOS250) and 1-0 (“IOS0″ — this is a bogus ticket used to gain group 0 access, Waninkoko’s old FS dumper used this and I think that AnyTitle Deleter may as well). Something that I found that Nintendo didn’t was a bunch of crap left over from a Preloader install — extra files in 1-2’s data directory, as well as some extra files in /shared2.

Thanks for this interesting read, Ithian. Am I correct in reading that the items discovered are due to a less than thorough use of AnyTitleDeleter by the current owner of that Wii? Or are there items caught by the Pre-repair disc that can't be handled by ATD?

A little of both from what I've been reading. While the user did miss his IOS0 and IOS250 the UID is still present on the system which keeps a record of every title installed on the console, even the entries for the initial bootup disks at the factory. So without overwriting that it's still possible to detect what has or hasn't been tampered (fakesigned) with.

Edit: I just saw this from bushing,

@Muzer: It was probably nothing more than missing IOS250 from his deletion spree … but I just checked, and AnyTitle Deleter adds “IOS0″ and never cleans it up. I’m not even positive you *can* clean it up, since it uses that ticket/TMD to delete the files.

"I think that the Wii is a beautiful piece of hardware, and a broken Wii is a tragedy. It doesn’t matter why or how." -- Bushing

Dont think they would ever fix a wii anyhow they just want a good snoop to see can they counteract new stuff added id say, Anyway why give them a Wii to fix why should they have all the fun fixing it Good info do Ithian nice to see your on your toes lol..

for a multi-million pound company thats been around forever you would have thought they would at least try(harder) to stop hackers,this was a good indication that they try but not too hard,maybe they are all stoners?
PS: Is re-installing your Nand the same as cleaning the Wii,or does it leave something behind?

Here's another post by bushing I thought people might be interested in:

Someone brought up a good point on IRC — it’s not clear how exactly they are doing this signature verification (just looking for zeroes, or is it actually running RSA on all of the tickets/TMDs)? If it’s fast enough, they might start doing this every time the system menu starts. A year ago, I’d have considered this unlikely, but –

They’re already using one of the functions from the system menu that runs on every boot in this program (CheckSavedataZD)

They’ve apparently added a function to the SDK for this purpose (OSGetTitleStatus)

They already have the code written to do this for all titles (SearchUnauthCh_CheckTMDs, SearchUnauthCh_CheckTickets)

They already released an update that “bricked” Wiis (4.2’s system menu looks for the Korean common key in EEPROM every time you boot, and halts if it finds this — I put “brick” in quotes because they would be able to fix this in a repair center if they had a disk that would reinstall the Korean system menu). I see no reason to think they would treat “Illegal channels” any differently, and they would probably justify this to themselves based on the fact that they would still be able to boot a disc and clear off the “Illegal channels” … for $200

I say this every time, but it bears repeating — do not upgrade your Wii! It feels like we’re about due for another update, and this one will probably be worse than the last.

To try to stem the inevitable flow of suggestions — there are a number of different ways to respond to a completely noxious update, but they’re all somewhat unpleasant (hard to code, invasive to the system, potential for misuse, potential for bricking the system). I even have a few of them already partially written. We’ve held back on releasing anything along those lines because there has been no need and we didn’t want to escalate the “arms race”, but if Nintendo is willing to nonchalantly update boot2 on all Wiis and put stupid checks in the system menu, we don’t have much to lose at this point.

(Meaning: We don’t need any suggestions, but we’re not willing to show all of our cards yet.)

Originally Posted by hkot

PS: Is re-installing your Nand the same as cleaning the Wii,or does it leave something behind?

If you mean a simple NAND restore via Bootmii, then no. While it will restore everything that loads after the initial bootup process (IOS/system menu/savedata/channels/etc.), there are other sectors on the console which retain diagnostic data and other miscellaneous information about what has been run/installed.

"I think that the Wii is a beautiful piece of hardware, and a broken Wii is a tragedy. It doesn’t matter why or how." -- Bushing

3 Users Say Thank You to Ithian For This Useful Post

So, if I understand correctly there is basically a sector that acts like the temporary internet history folder does in Windows. If this is the case, shouldn't there be a way to go in and delete the information we don't want them to know about?